Unfolding ‘DOUBLE TWINS’ Deception Scheme

Monday, July 29, 2013

Mikko Jakonen



There is a lot of ongoing scams & frauds using relatively large amount of persons as targets and internet as delivery method.. This is, however, very much bigger scheme using very traditional models of deception and capabilities of Internet.

What makes it most interesting; it was ‘quick in – quick out’ – job, completed within 3 weeks from the start. The perpetrators ordered 1st hoaxed domain in 6.6.2013 and the whole scam was completed in 15th of June. A way to make some 2.2M€ in black markets; its not bad – eh?

‘DOUBLE TWINS‘ is deception scheme combining modern world speed, easiness to run anonymous with Internet and difficulties with real corporate and personal identity verification. Per today – unfortunately – while some variables still fluctuating, I am not able to disclose names, numbers and perpetrators.

The scheme allowed perpetrators to perform major identity theft and fraud crafting significant amount of funds, in parallel making it look like totally legitimate operation. The organizing looks highly professional, whilst the approach itself is still relatively simple for performing the ruse.

All this coupled with capabilities efficiently hide tracks by using well known techniques, it is a bit amazing that criminals are still pushing forward with much simplified, traditional approaches with smaller ROI ratio. Lucky enough, THIS particular dragnet is about to collapse.

The name, ‘DOUBLE TWINS‘ refers the model how perpetrator utilized chain of trading and logistics in parallel of running fraudulent scheme with all the parties.


The Target – organization org.fi unaware of such scam in progress. Unluckily matching the demand and lacking suitable Internet domain presence, which scam artists are easily able to obtain from public markets. MyCompany.fi DOES NOT equal MyCompany.com – right?

Mr. AKA RealName, CEO – The scam artist. Hoaxed CxO of the hoaxed organization name having all the details in place, such as prepaid cellphone and details exactly as the Target organization. Has email address aka.realname@org.com which indeed looks like the real thing. Covers the company by disclosing as suitable data as possible for making the scam happen; like “We have not selected any particular vendor, but we buy from we have most suitable co-operation” – “We are expanding rapidly our operations in EU and need stuff quickly in place”, etc.

Equipment Vendor X – Makes the equipment & imports for distribution. Works closely with value added resellers (VAR) and distributors. Easily the primary contact while asking where to buy some amount of their gadgets. Typically gives lead to suitable VAR without too much hesitation about the origins of request.

VAR – aka Value Added Reseller – sells the stuff for making their cut. Gets lead from vendor and makes credit check for The Target (yea, here it goes definitely wrong..), obtains and buys stuff from distributor and makes pricing together with vendor suitable for their percentage. Handles the bid and order confirmation from The Target.

Transportation & Logistics Co. – hauls the equipment cargo Trans European way from north to south and back. Works with anyone whom has stuff to deliver domestic or abroad.

IT Service vendor, domain name supermarket etc. - Provides internet speed and background for the scam itself.


This is how it supposingly (yea, lets leave some space…) went. The whole operation started evidently approx 1-2 months prior the scam deployment activities. Whilst the model of operations looks like highly targeted, its not – till the end anyway. It just touches the chain enough deep to cover the essentials, avoiding unnecessary alerts. The targeting goes just enough for the suitable criteria.

The flow follows classical model used by criminal organizations around the world: Define target, recon suitable objects, define required steps, organize backoffice (a.k.a have the middleman), deploy payload (the scam), verify it works, avoid detection, cleanup, shutdown, observe.

Let me remind you: It is about professional, organized crime. Where there is a will – there is a way. Keep it simple.



The scam artist(s) required suitable organizations as their objects – both in identity theft and in deception parts. It was summertime, schools out and people on their various holiday activities. So minimal manning and hard to reach in identity theft ‘recipient’ side if others in chain could bypass the scam activities.

Taking into account the suitability of target organizations – artists needed several pieces of background information: organization to be targeted for forgery (yea!), organizations to make approach, verify and lead, and in the end – organization(s) to deliver.

While selecting targets, simultaneously looking for similar kind of organizations with characteristics such as reliable operation, no credit issues, not too large or not too small, making either them too organized or too small to be reliable in such chain.

In the end, with ‘DOUBLETWINS’ the selection criteria for targets where approx:

  • Only few hired staff/personnel; a managing organization OR holding company.
  • Known executive level decision maker with contact details.
  • Operations abroad (of FINLAND)
  • Reliable credit information when check done.
  • Crucial: Internet domain availability (@company.com) to register on foreign soil.
  • Turnover suitable for making such scam possible; 3-12 M€ year.
  • etc.


Obtaining such information is no-brainer in well connected society such as Finland and rest of the Scandinavia and Baltics is. However, this made me questioning would this been possible in for example Estonia as they DO have well crafted security infrastructure for companies making kind of transactions and protecting from frauds.

You can get most of the needed information directly from public sources and simultaneously checking do the organization have Internet domain such as org.com available. Here’s the easy trick – legal name for OrganizationABC does NOT necessary have their e-mail addresses associated with the company name, leaving space for scam artists to go to local GoDaddy.com superstore and BUY domain for their various needs.

Among that; legislation says that some company records are public and for example whom as signing authority,  a procura – has typically authority to BUY stuff with companys name as well. Most of the CEO’s do have the authority alone.

As the OrgnizationABC exists, there is known CxO existing and recon tells company is in good shape, there is no reason for any Vendor or VAR NOT to sell stuff for them. Even the e-mail address can be verified. What could go wrong, eh?

In essential – covering the tracks is in utmost importance. Accessing the hoaxed e-mail addresses mailbox from remote needs to be covered with Tor or equivalent way and simultaneously prepaid cell’s are needed. This scam requires to be in reliable contact with many organizations in chain – without losing confidence. By doing that with e-mail is not an issue, but doing through telephone is. The scam artist needs to be more actor than technical wizard. A typical psychopath characteristics, I say.

The artists must be able to determine what is the chain in between equipment vendor, reseller, distributor, logistics and the targeted organization. Actually, this is making all of the organizations involved as a collateral for the fraud. The final card shall be held by the VAR; unfortunately – all fingers shall point in the end for their direction – including final invoicing notice from the distributor.


Little things create massive stream, right? So detailed planning for such scam required some strict organizing AND as well discipline from perpetrators side. Here is few details.

  • Its not done by single perpetrator; its organized and well formed discipline. For the money or other – say; for more detailed reasons.
  • It required resources spanning from northern Europe till south.
  • It required native speaking people at least in Finland
  • It required TECHNICAL ability to hide tracks
  • It required stolen credit card information or other means to BUY fraudulent internet domain.
  • It required precise timing.
  • It does need detailed background for understanding how the business flows between interest parties.
  • It does need ability to access Internet as anonymously as possible and through several anonymity gateways outside Scandinavian borderlines.
  • Making it sufficient, artist must be able to plan the same scam for times X with different companies, vendors and logistics. Timing, timing, timing!


You need someone in receiving end as well. Say the cargo went to Spain, Barcelona for further distribution – there is need for reliable recipient name as well. The recipient address can be temporary, as well the recipient name can be hoaxed. Renting such warehouse for 2 weeks is not a difficult task. Other tasks involved preparing the next steps for obtained cargo and distributing it through the networks. Wild guess is that for the size of the scam; it was job at least of some 1+3 persons.

4. DEPLOY ‘PAYLOAD’ (The Scam)

Now; this is how the execution phase went. It’s just the climax of the operation itself. The architecture is in place, just run it.

a. Mr. AKA RealName (N1..N) contacts Vendor X representative just before the summer holidays for some serious business.


b. Vendor is happy to make some sales happen and directs Mr. AKA Realname as a lead to their reseller for making the bid happen.

c. Mr. AKA RealName discusses the details with Vendor X and prepares RFP for the Reseller for quotation.

d. Whilst reseller has been long in the business, they do check credit information of the company and Vendor X said it looks good! The internet domain name and company real name has no correlation what so ever.


e. Ok; given the details credit is good, CxO is legitimate, we have the e-mail, address, VAT IT etc. – lets proceed!

f. AKA RealName from Hoaxed org. gives precise delivery instructions for the logistics and reference information for invoicing the hauling.


g. Reseller orders equipment from Distributor with per-negotiated pricing with detailed instructions for delivery got from the scam artist. Distributor is keen to know whom is the customer and checks credit as well – for precaution. Everything ok as well.


h. Distributor sends the cargo directly to logistics warehouse for delivery, crafts invoice for reseller. Transportation & Logistics Co. receives stuff from distro and prepares cargo for the destination in Spain, crafts invoice for the AKA RealName scam artist pre-defined address billing@org.com and paper invoicing address leading to The Target’s CxO address.


i. Scam artists back-office organization receives the stuff in temporary warehouse rented for few weeks and distributes it further.


j. Scam completed – Next: The invoicing.

For a while, everything looks as it should be. Cargo went to the destination and scam artist is able to perform next phase – a second ordering round. However, here they might make mistake – so careful detailing is needed. Ordering different kind of equipment from same chain of collateral might not look that suspicious, but it must be done quickly before reseller is  asking about the unpaid invoice.

Well, in this case they tried it and almost blown the cover.


During the deployment, a careful book keeping is essential and keeping the situation awareness is important. Collecting information from all the steps and from all participants happens automatically, as people tend to inform about how the order is performing. When the cargo has arrived at its destination, perpetrators have decision making points: continue OR drop, shutdown and disappear.


Observing smartly the next activities performed by the chain is important. As its summer holidays time, being few days late in invoice payment is easily forgiven, allowing perpetrators already to prepare the cleanup. Companies send the invoices, notices of unpaid invoices to scam artist forged e-mail box allows automatic observation, even from Spain.


In essential for the situation awareness, cleaning up the operation must be done. Leaving no tracks and no marks of the activities can be done with relative easy: shutting down the operation in both ends. Evidence removal, destroying used laptops, comms etc. moving to other location. Traces ending in both ends makes investigation very difficult. Especially using directly internet service providers services, like web access e-mailk making it one hop difficult.


Keeping up the appearances sounds unwise at the point, thus understanding that there is investigation ongoing is essential.


Well – the big picture. Taking into account that 1+x persons can creatively & with discipline create such scam, they DO caneasily copy & paste it again, again & again…making it happen once for 100k€ is nothing, but to making it happen simultaneously for – say 8-12 companies similar size – it’s sizeable.


1) Nothing is as it looks like until seen through. Its a organized deception – It is VERY difficult to counter.

3) Time – it can be executed less than 4 days and traces start to fade immediately – within a 3 weeks, its gone baby.

4) Summertime. When cat is away, mice have party. Do not leave your backdoor door unguarded.

5) Guts – the scam artist needs some serious guts to do it. Why no one asks for any detailed background? Dig deeper.

6) Organized. They are organized and able to perform it. Are you able to counter it? How you organize your staff for this?

7) When its too good – its not.

8) TODO: We need sort of authentication & authorization verification capability against these. Not all companies are with electronic billing yet and what happens outside the Scandinavia; well – that’s even more difficult to counter.

9) Players in chain. There is SO many players in chain whom should consider COMMON MODELS how to counter such scam.

Possibly Related Articles:
Budgets Enterprise Security Security Awareness Security Training General Impersonation
fraud Double Twins
Post Rating I Like this!
qef q3f3 The Auditor General of the City of Montreal, Jacques Bergeron, maintains the findings of its 2013 report, which had raised of collusion in the awarding of snow removal and waste collection contracts. http://www.pre-hackedgames.net/real-racing-3-hack/
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.